1. Field of the Invention
The present invention relates to detecting a kernel-mode rootkit that hooks the Windows System Service Dispatch Table.
2. Description of the Related Art
A rootkit is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. Rootkits needs to hide something whether it is a process, a thread, a file, or a registry entry, etc. from user mode applications and from kernel mode device drivers. To achieve that, Rootkits have to alter the execution path of the file system, the processes, the threads and the registry functions.
One popular technique used by Rootkits device drivers is to hook the file system, the process, and the registry query functions inside the System Service Dispatch Table (SSDT) by replacing the functions pointers inside the SSDT table with new pointers that point to their own functions. This change of the execution path would affect all Nt/Zw function calls made by user mode applications and all Zw function calls made by kernel mode device drivers.
One technique for detecting rootkits involves spawning a user-mode investigator process that calls into the user mode Nt functions to enumerate processes and then compare the returned process list with another process list obtained by a controlling kernel mode device driver that calls directly into the Nt functions inside the NT OS Kernel.
Although this technique seems to be a good technique to detect rootkits that hook into the SSDT, it is actually based on spawning of a user mode investigator process. The user mode investigator process is called from another user-mode process (the controlling process). The controlling process will have to communicate with the kernel mode controlling device driver. The usage of user mode processes is not very secure and can be detected by the rootkits device drivers, which can terminate those processes once they are launched.
Some other rootkits detection methods check the System Service Dispatch Table (SSDT) looking for any changes made to the table. For example, one method looks for changes made to certain functions inside the SSDT (mostly the query functions used by rootkits) and then restores those changes to their original values. The main disadvantage of this approach is that the existence of a function hook inside the SSDT is not an indication of the existence of a rootkit, since intrusion prevention solutions typically hook the same functions as those hooked by the rootkits. Therefore, such techniques will generate false positives and will disable security applications.
A need arises for a technique by which a kernel-mode rootkit that hooks the System Service Dispatch Table (SSDT) may be detected that is secure, avoids false positives, and does not disable security applications.